Wireguard VLAN to VLAN Issue

[JulesTr]

Hello together,

I tried solving my problem, by adapting other similiar issues, but I did not work.

I am in a network run by OPNSense and a cisco switch. We have multiple VLANs for every home.

Let us call them VLAN 1, 2, 3, etc.

The VLANs have the following rules:    
Permit Access VLAN1 --> VLAN1
Block Access to other VLANs

Every VLAN has a static public IP.

I have installed a Wireguard Server in VLAN1 on my private server.

It works flawlessly when I am in my VLAN1 or any other "outside world" network.

The issue is: I have a shared office desk in VLAN2 and I want to connect to the Wireguard VPN, but I can't get it to work. The handshake times out.

I looked into the logs and to no surprise "Block Access to other VLANs" rule, blocked the traffic to my VLAN1.

I added the rule above "Block Access to other VLANs" the rule "Allow all traffic VLAN2 to VLAN1". The traffics gets passed through, but the handshake still fails.

Before I mess something up, I wanted to ask, what I'm doing wrong. Or which traffic I have to let through additionally.

My wireguard has: AllowedIPs = 0.0.0.0/0, ::/0
From what I understand, this should not be the issue.
I am pointing to the server via duckdns and it's static IP.

I'm pretty noobish, so please talk to me with that in mind.

[Monviech (Cedrik)]

Try creating a floating rule, and select the interfaces you wish to enable the wireguard traffic onto your OPNsense from.

Quick: Checked
Proto: UDP
Source: Any
Destination: This Firewall
Destination Port: 51820 (or your wireguard port)

[JulesTr]

Just to make double sure:

I am not using OPsense wireguard feature built into the FW, I am hosting my own instance in my VLAN1.

Is this still the way to go?

[Monviech (Cedrik)]

Oh I misread you there.

No thats probably not the way to go then. For this to work you need a port forwarding rule so that when traffic from a client (probably targeting the external IP address of the wireguard server) in another VLAN hits the firewall, the firewall redirects the traffic back to your internal VLAN1 Wireguard Server.

Here's a guide with an example how to do it, just adjust it to your case with wireguard, udp and the internal IP addresses you use:

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

[mimugmail]

Or you just allow traffic from Vlan2 to you wireguard Server IP on Rules : Vlan2 in incoming direction  above the block rule

[JulesTr]

I already had the port forward setup for wan for my server as well as nat > outbount for my subnet connecting to my external ip (method 1 in linked tutorial) with    Hybrid outbound NAT rule generation

I simply added VLAN2 to the port forward of my server. So in the end the port forward looked like:

WAN, VLAN2 -> TCP/UDP > Server External IP > 51820> Server internal IP > 51820

Additionally I have Port 80 and 443 forwarded for the server. I added VLAN2 to those as well.

This did not work.

I tried this as well:

Or you just allow traffic from Vlan2 to you wireguard Server IP on Rules : Vlan2 in incoming direction  above the block rule

In the end I tried various configurations and at last added all available interfaces to the port forward.

No luck.

Is it possible that one floating rule or another rule is messing this up? Or should I try Method 2/3 in Tutorial?

[JulesTr]

And i completely forgot:

Thank you that you took the time to help me :-)

[Monviech (Cedrik)]

Hey no problem, lets get to the bottom of this.

It's really weird that this doesn't work for you.

Could you post a small ascii (or other) network diagram that explains your setup (just wan, and the two vlans)?

Also post:
Firewall: Diagnostics: Statistics
filter rules
nat rules

For readability just use IPs from "203.0.113.0/24" as your external IP to mask your real ones.

[mimugmail]

Add log checkboxes for Logging Traffic on vlan2 rules and portforward. Then go to Live Log and check logs when connecting

[JulesTr]

I'll try to make it after work. There are around 250 nat and 500 filter rules.

Most are identical as we have the identical Vlans for every home. All together 10. I'll try to filter them out.

[JulesTr]

I took a small work break :-P and at least turned all logs. Connected to WG server. It seems that I'm connecting to the server, but I still do not have internet connection. I read something in the tutorial about automatic nat reflection rules, but did not really understand it. I attached the screenshot of the settings. I suspect that some rule makes me go round in circles.

The log screenshot show the only two things that seem to get triggered when I connect to the WG server.

[mimugmail]

One second, you mean you are connected via WireGuard but can't get internet access via the tunnel? So this means that you internal Wireguard server in vlan1 has a tunnel net and this tunnel net wants to go out ont vlan1 to internet. That means, this tunnel net needs to be routed on OPNsense to your WG server, or, the WG server need to nat the WireGuard client to the vlan1 IP von the WG server ... maximum confusion 

[JulesTr]

Jesus fing christ. I barely worked today for my regular but. But:

I made it work.

It made me think, that you said it should work for me. I figured, if this should work and I followed the tutorial right, then there is a really odd/rare problem or there is something else not working.

So i resettet everything to the initial config.

I went into the cisco switch and permitted all for VLAN 1 -VLAN 2 and vice verse. Then I could ping the server, but still wireguard did not work.

Then I followed the tutorial again and added VLAN 2 to the port forward rule of port 58120 of my WG server.

And boom it worked.

Then I went back to the cisco switch and modified the rule to only let through traffic through specifically to my server on port 51820.

And it still works. I'm quite happy. I probably spent like 30 hours setting up the WG Server with Adguard, Unbound, DoH and figuring out this problem. And learned a lot in the process.

Thank you for your patience and helping me out. I wouldn't have been able to do it without your help. This was the most helpful forum interaction I probably had ever!

Thank You. Have a very nice day 

This can be closed